Lower and upper bounds on the secret key rate for quantum key distribution 
protocols using one— way classical communication 
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We investigate a general class of quantum key distribution (QKD) protocols using one-way classical 
communication. We show that full security can be proven by considering only collective attacks. We 
derive computable lower and upper bounds on the secret key rate of those QKD protocol involving 
only entropies of two-qubit density operators. As an illustration of our results, we determine new 
bounds for the BB84, the six-state, and the B92 protocol. We show that in all these cases the 
first classical processing that the legitimate partners should apply consists in adding noise. This is 
precisely why any entanglement based proof would generally fail here. 

PACS numbers: 03.67.Dd,03.67.-a 

Quantum cryptography, the art of exploiting quantum 
physics to defeat any possible eavesdropper, has rapidly 
grown over the last decade from the level of a nice idea 
into an entire branch of physics Q. Indeed, first com- 
mercial equipment are already offered 0- 

A generic QKD protocol can be divided into two parts: 

I) Distribution of quantum information and measurement 

II) Classical part consisting out of parameter estimation 
and classical post-processing (CPP). To implement the 
quantum part of the protocol, the two legitimate persons, 
Alice (j4) and Bob (B), agree on some encoding/decoding 
procedure 0. We denote by So = {\<j^)}jeJ an d Si = 
{\<f>j)}jej, where J = {1, . . . , m}, the sets of states used 
to encode the bit value 0, 1, resp.. First, A sends n qubits 
prepared at random in the state | ® ... ® | </>*■" ) = 4>^J 

to B The adversary, Eve (E), interacts now with all 
the qubits sent by A. She applies a unitary transfor- 
mation to all those qubits and an ancilla in the state 
0) The state E and B share then is given by 



$j) = Ube <f>\) |0) p . Next, B applies some fil- 

■y BE _ J / B 

tering operation and measures his qubits in the z-basis 

0. A and B compare publicly which encoding/decoding 

operation they used and keep only those pairs of qubits 

where they were compatible (sifting). The state describ- 



ing E's system is 



(k| B-JAbe 



\Q) E , where 



we denoted by Bj the filtering operation used by B and 
by k his z -measurement outcome 0. A and B com- 
pare now publicly some of their measurement outcomes 
to estimate the quantum bit error rate (QBER). 

The security of the protocol relies on the fact that E, 
trying to gain information about the bit values, intro- 
duces some error due to the laws of quantum mechanics. 
However, any realistic channel used by A and B is noisy, 
i.e. QBER > 0. In order to ensure that the protocol is 
secure one must assume that all the noise (estimated by A 
and B) is due to an unlimited eavesdropping attack, a co- 
herent attack 0, . A and B know how to counter such 
an adversary: they apply a CPP, consisting out of er- 



ror correction (EC) and privacy amplification (PA). This 
general principle leaves a central question open: How 
much error can be tolerated in order to be able to distill 
a secret key? This is precisely what we concentrate on in 
this paper. 

Previous sec urity proofs are based on the following ob- 
servations 0, fTll Il2| . Instead of preparing a system 
and then sending it to B, A can equivalently prepare 
_B's system at a distance by using an entangled state 
(entanglement -based scheme). If A and B could purify 
their state to singlets, their systems cannot be entangled 
to E. The essential feature can be carried out processing 
only classical data, leading to perfectly correlated data. 

We present here a different, not on entanglement 
based, kind of security proof for a class of QKD protocols 
including the BB84, the 6-state, and the B92 protocol 
|l3l Il41 Il5|. First of all, we determine the state shared 
by A and B (using the entanglement-based scheme) af- 
ter a general eavesdropping attack. Then we analyze the 
classical part of the protocol, i.e., parameter estimation 
and CPP, for the case of one-way communication. Wc 
present a new formula for the secret key length. Then 
we derive a lower bound on the secret key rate involving 
only entropies of two-qubit density operators. We also 
present an upper bound on the secret key rate. At the 
end we illustrate our results by determining new values 
for the lower bounds for the BB84, the 6-state, and the 
B92 protocol. These new bounds are generally stronger 
than those achievable with entanglement-based security 
proofs. 

To study the entanglement based scheme we use the 
same notation as before and define the encoding opera- 
tors Aj = |0) ((0°)* + |1> ((</>})* | and the decoding op- 
erators Bj = |0) + |1) ($j , where 4> l ^j denotes the 

orthogonal state to |<^ ) and | (</>})*) denotes the complex 
conjugate of | in the computational basis for i = 0, 1 
and j S J. Note that those operators are not necessarily 
unitary, e.g. for the B92 protocol. After applying one of 
those filtering operations A and B measure in the z-basis, 
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associating to the outcome the bit values or 1. Using 
the fact that A T ®1 = 1® A |$ + ) for any operator A 
and |$+) = 1/V2(|00) + |11)) and that the operators ap- 
plied on A 1 s systems commute with the operator applied 



by E it is easy to verify that 



where 1$ 



J I ABE 



A; ® B\UeB V&~ 
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To account for all the different realizations (j) we intro- 
duce a new system Ri and define the state |xo)ab.e.r = 
Ej ^ I^ABi? ' with Pj determining the probabil- 
ity with which A and B decide to keep the systems in 
case they used the operators Aj , Bj . Now, first of all R\ 
measures and obtains the outcome j. The state shared 
by A, B, and E is then ABE - 

Let us now introduce an equivalent protocol where 
A and B additionally apply the following operations 
0: (I) A and B apply both the same unitary trans- 
formation, U\i chosen for each qubit at random among 
U\ = 1,U2 = f 2 , with <j z one of the Pauli operators. 
The equivalence to the previous protocol is due to the 
fact that the state describing E's system is not changed. 
(II) A and B can decide to flip their bit values (both at 
the same time). We combine the first two possible oper- 
ations. The operator denotes a unitary operator of 
the form U Vj V v ,, for I'^l'! G {1, 2}, and V x = 1, V 2 = o x . 
Since we assume that both apply the same operation, 
they need to communicate classically. This exchanged 
classical information will be denoted by 1. (Ill) A and 
B are also free to permute their qubits/bit. Obviously, 
they have to use the same permutation operators, P m . 
The classical information which has to be exchanged is 
denoted by m. 

We introduce now two random number gener- 
ators, R2 and i?3, which account respectively 
for the operators, 0\ and P m . The state de- 
scribing all the systems is \x) 



1 ABER 1 R 2 Rs 



H3' 



£j,l,«n ^ \^X^) A BE \j) Rl \ l ) R2 l m ) 



with 



|0) 



E ' 

the state shared by A, B, and E for the particular 
realization (j, 1, m). 

Let us now relax the assumptions about E. We pro- 
vide E with all the systems R\,R2,Rs- Since she can 
measure the R systems ending up in the same situation 
as before, we clearly provide her with at least as much 
power as she had before. The state A and B share is 
given by the partial trace of the state \x) aber R 2 R over 
E,R 1 ,R 2 ,R 3 . We find p\ B = V S {V f n [Vf n l P { B )]} . 
Here the normalized state p AB = trefT^)) with j^o) = 

Ueb | < I 5+ )ab \®)e ano - Ps the completely positive map 
(CPM) symmetrizing the state with respect to all qubit 
pairs [17j • The CPM T>\ is entirely defined by the proto- 



it 



B 



col and is given by 2? x (p) = Ej ® B j(p) A ] - - -., 
T>2 is independent of the protocol, and is defined as 
(p) = J2\ 0\ <8> 0\{p)0\ £g> 0\ , i.e. the depolarization 
map transforming any two-qubit state into a Bell diago- 



nal state. This implies that the density operator A and 
B share, before their measurement in the z-basis, has, 
for any protocol the simple form 



Pab 



1*1 



p®n 2 
1*2) 



l*3> 



^i:) 4 )-(i) 



Here, the sum is performed such that n.4 = n — ri\ — 

n 2 - 713, with m > 0. The states |$i /2 ) = l/\/2(|00) ± 

|11)) and |$ 3/4 ) = l/\/2(|10) ± |01>) denote the Bell 

basis. Note that this state is separable with respect to 

the different qubit pairs. Note further that this result 

(Eq. (JU) is independent of the CPP, thus, it can also 

be used in order to investigate any protocol employing 

two-way CPP. 

The CPM T>2 does not depend on the protocol and is 

only due to the operations 0\. In principle, A and B can 

apply (independently) any unitary transformations of the 

sort e ze<Tz to their qubits before they measure them in the 

z-basis. The state describing £"s system would then be, 

up to a global phase, equivalent to $! ,k ) . This can 

J / E 

be also seen as follows: If the basis (say the z -basis) in 
which a certain state, p is measured is known then we can 
define a set of operators which are in the measurement 
basis reducible to p. Any state of the form p' — ^ i PiOi® 
1pO\ <g> 1, with pi > 0,^jPi = 1 and unitary operators 
Oi diagonal in the measurement basis, i.e. Oa \i) — A, \i), 
with I Xi \ 2 = 1 leads to the same measurement statistics, 
i.e. \i) (i\p' \i) (i\ = \i) (i\ p \i) (i\ , Wi. Obviously, the same 
holds for operators acting on P's system. Thus, if the 
measurement basis is known, we can choose any of those 
reducible operators. If furthermore A and B symmetrize 
their qubit pairs by the operations described in (II) and 
(III), then the state describing their qubits has the form 
of Eq. QJ. If we then provide E with a purification of 
this state then we might only increase her power |28| . 
Note that the symmetrization described in (II) and (III) 
commute with a measurement in the z-basis. 

In order to analyze the classical part of the protocol 
we partially use some of the information-theoretic argu- 
ments 0| , which have first been proposed in |2jj in 
order to analyze security of a large class of QKD proto- 
cols [i^. We assume that A and B hold strings X n and 
Y n , resp., obtained by measuring a given state p\ Bl e.g., 
the state presented in 0). 

Let us first consider the CPP consisting of three steps. 
The protocol is one-way, i.e., only communication from, 
say A to B is needed. I) Pre-processing: Using her bit 
string X n , A computes two strings U n and V n , accord- 
ing to given conditional probability distributions Pjj\x 
and Pv\ui resp. She keeps U n and sends V n to B. II) 
Information reconciliation: A computes error correcting 
information W from U n and sends W to B j^]. Using 
his information, Y n and W, B computes a guess U n for 
U n . Ill) Privacy amplification: A randomly chooses a 
function F from a family of two-universal hash functions 
and sends a description of F to B 22]. Then A and 
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B compute their keys, S A = F(U n ) and S B = F(U n ), 
resp.. 

Let us introduce some notation before analyzing this 
protocol. We describe the classical information of A 
and B as well as the quantum information of E by a 
tripartite density operator pxye of the form P X ye = 
Y< x ,y P x»Y-(x,y)P\ x) <g> P\ y) (g) p x E ,v where {\x)} x and 

are families of orthonormal vectors and where p E 
is the quantum state of E given that A and £?'s values 
are x and y, resp.. Similarly, ps A s B E' describes the clas- 
sical key pair (Sa, S e ) together with the adversary's in- 
formation pe> after the protocol execution. We say that 

(Sa,S b ) is e-secure ii\ps A s B E> -Yls&s P \s)® P \s)®Pe>\ < 
e. Note that this definition leads to the so-called univer- 
sally composable security, which implies that the key can 
safely be used in any arbitrary context 0] . 

To determine the number t z n of e-secure key bits that 
can be generated by the above protocol, we use the fol- 
lowing recent results: I) The amount of key that can be 
extracted from a string U n is given by the uncertainty 
of the adversary about U n , measured in terms of the so- 
called smooth Renyi entropy, 5| , Sq as introduced 
in j2^| . II) The amount of information B needs to correct 
his errors, using optimal error correction, is given by his 
uncertainty about A's string (again measured in terms of 
the smooth Renyi entropy). Combining those results we 
find for the number of e- secure bits |24j . 

sup (S s 2 '(p^ EV )-S E '(p n EV )-HI(U n \Y n V n )) , 

V"<-U n <-X™ 

where means that equality holds up to some small 
term independent of n. In this formula, Pjjev is the 
density operator describing the string U n together with 
the adversary's knowledge [25j | . The supremum is taken 
over all preprocessing applied by A. 

In the remaining part of this paper we show how a 
lower bound on the secret rate, r := lim„^ oc (^/n), can 
be determined considering only two-qubit density opera- 
tors. To this aim we first of all fix some pre-processing by 
A. We assume that it is bit-wise, i.e. for each bit value 
Xi she computes Ui and Vi 30] . At the end we take the 
supremum with respect to all those pre-processing. 

A and B symmetrize their qubits pairs by applying a 
random permutation to the state po- Now we can assume, 
without loss of generality, that the first n p . e , qubits are 
used for the parameter estimation and the rest, ndata, is 
used to generate the key. A and B estimate the error by 
measuring the n p . e , qubits in all the different bases used 
by the protocol, e.g. for the BB84, they measure in the 
z- and s-basis. Since the state is symmetric and n p . e is 
sufficiently large, the data qubits, which can then all be 
measured in the same basis, say in the z-basis, contain 
the same amount of error. As explained above, one can 
assume that the state describing the data qubits has the 
simple form as in Eq. Q SI- Since the only free pa- 
rameters are the diagonal elements A ni >n2 , n3 >n4 (see Eq. 



JIJ), the outcome of the parameter estimation implies 
very strong conditions on them. In fact, conditioned on 
this outcome the data qubits can be described by some 
state p?Q, where Q = (ni,n2,ns,ni)/n is the frequency 
distribution (depending on the parameter estimation out- 
come) of a Bell-measurement. The state p™Q has the 

same structure as the product state 0q", where oq is a 
two-qubit Bell-diagonal state with eigenvalues Q. Due 
to this similarity one can show that the smooth Renyi 
entropies of those states are the same. Finally, using the 
fact that the smooth Renyi entropy of a product state is 
asymptotically equal to the von Neumann entropy |'2.'"j| . 
we obtain the following lower bound on the secret rate 



r> sup inf (S(U\VE) - H(U\YV)) . (2) 

V<-U 

In this formula, S(U\VE) denotes the von Neumann en- 
tropy of U conditioned on V and E, i.e., S(U\VE) := 
S{o~uve) — S{ove)- The state ouve is obtained from 
cab by taking a purification gab e of the Bell diagonal 
state V 2 {o-ab) and applying the measurement of A fol- 
lowed by the classical channels U <— X and V «— U. Sim- 
ilarly, Y is the outcome of -B's measurement applied to 
the second subsystem of oabe- The set Tqber contains 
all two-qubit states, er, for which the protocol computes 
a secret key when starting with the state a® n , where a 
is any state that A and B might share after a collective 
attack by E. Thus, in order to prove full security for this 
class of QKD protocols one only has to consider collective 
attacks. Note that, in order to compute a lower bound 
V can be discarded, however, the pre-processing X — ► U 
turns out to be very important. 

In order to derive this bound we assume that Eve has a 
purification of the state a. This is always possible as long 
as the encoding/decoding operators (A,-, Bj) are unitary. 
This implies that, for instance for the BB84 and the 6- 
state protocol coherent attacks are not more powerful 
than collective attacks |32|. 

To reduce the number of parameters even further one 
might consider only the set T>i\D i(Fqber)]' It contains 
only normalized two-qubit Bell-diagonal states, i.e. Eq. 
i ffl l for n = 1. Due to the fact that this state is measured 
in the z-basis by A and B (and so is the QBER = Q) we 
have A 1 = 1 — Q — A2,A4 = Q — A 3 . The considered proto- 
col, i.e. the map T>±, implies then additional conditions 
on those coefficients. 

Using techniques from quantum information theory, 
one can show that if the supremum on the r.h.s. is 
also taken over any quantum state puv computed from 
X, then it is also an upper bound for the rate r, i.e., 
r < mmpSupy^u^xiSipuEv) - S(p E v) - H(U\VY)], 
where the minimum is taken over all states p = pabe 
that can be generated by an attack of E ji^] . 

The case of individual attacks (n — 1) has been widely 
studied, using a bound (sometimes called Csiszar and 



4 



Korner bound) which is similar to (0), but without the 
extra preprocessing terms: X — > U — » V. A priori, one 
might think that the preprocessing X — > [/ could not be 
of any help, since the only choice A has is to flip each bit 
value with some probability, i.e. to introduce noise. How- 
ever, this noise differs clearly from the channel's noise. 
Although it diminishes A's mutual information with B it 
may more severely penalize E. For instance, for the 6- 
state protocol numerical optimization shows that for all 
non zero QBERs it is always advantageous for A to first 
add some noise to her data, before the EC and PA. 

Let us now illustrate our result for several proto- 
cols. For the BB84 the encoding/decoding operators are 
A\ = Bi = V x , A?, = £?2 = 1, where V x is the Hadamard 
transformation. It is easy to verify that T>i\D i(po)] = 
(1 - Q - Ai)P| $+> + \iP\q-) + \iP\*+) + (Q- Ai)ifa-> 
with < Ai < Q. After minimizing the lower bound 
on the secret key rate (Eq.(0l) with respect to Ai, we 
optimize over the pre-processing by A. We find for the 
optimal values Ai = Q — Q 2 and q — > 0.5, the probabil- 
ity for A to flip the bit value, that the secret key rate 
is positive for all Q < 0.124. Note that if we would not 
optimize over the pre-processing by A, we would obtain 
the well-known bound 0.1100 |loL l2cj. Since the state 
A and B share, before the EC and PA, is separable any 
entanglement based proof of security fails. For the upper 
bound we obtain the known result that the protocol is not 
secure if the QBER is higher than 0.146 [23. For the 6- 
state protocol we find that the secret key rate is positive 
as long as Q < 0.1412 (known result 0.127 H3). On the 
other hand, the protocol is insecure for all Q > 0.1623. 
For the B92 we find a positive rate as long as S < 0.0278 
(known result S < 0.0240), where 5 characterizes the de- 
polarization of a channel introducing the same amount 
of noise [HEl. 

To conclude, we studied the security of a class of QKD 
protocols, including BB84, 6-state, B92 protocol among 
many others. We presented a new security proof not 
based on entanglement purification for all those proto- 
cols using one-way CPP. We show that in order to prove 
full security one only has to consider collective attacks. 
We derived a lower bound on the secret key rate involv- 
ing only entropies of two-qubit density operators. It is 
shown that A should add noise before the EC and PA 
phase. Actually, this is why better bounds are achieved 
and also the reason why entanglement based proofs would 
fail here. We illustrated our results by presenting new 
bounds on all the protocols mentioned above. 
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